Computer program, method, and system for preventing execution of viruses and malware

ABSTRACT

Preventing execution of viruses or malware on a computing device includes compiling an inventory recordation of legitimate applications while in a training mode and terminating execution of any application not on the inventory recordation while in a protected mode. A user may train the computer program to identify legitimate applications routinely accessed by the user and to be updated to the inventory recordation, such that the inventory recordation is personal to the user. After training, the protected mode is activated. While an Internet browser or e-mail client application is activated while in the protected mode, execution of any accessed application that is not uniquely identified on the inventory recordation is terminated.

RELATED APPLICATIONS

This patent application claims priority benefit, with regard to all common subject matter, of earlier-filed U.S. Provisional Patent Application No. 61/543,068, filed Oct. 4, 2011, and entitled “COMPUTER PROGRAM AND METHOD FOR PREVENTION OF INFECTION OR EXECUTION OF VIRUSES AND MALWARE,” and U.S. Provisional Patent Application No. 61/493,166, filed Jun. 3, 2011, and entitled “COMPUTER PROGRAM AND METHOD FOR PREVENTION OF INFECTION OR EXECUTION OF VIRUSES AND MALWARE.” The identified earlier-filed provisional patent applications are hereby incorporated by reference in their entirety into the present application.

BACKGROUND

1. Field

Embodiments of the present invention provide a computer program, a method, and a system for prevention of infection or execution of viruses and malware on a computing device. More particularly, embodiments of the present invention prohibit infection or execution of all new applications or processes while a protected mode of the computer program of the present invention is activated.

2. Related Art

Infection of a computing device by a virus or item of malware is a significant problem for many computer users. Malfeasants initiating the virus/malware are skilled at cloaking the virus as a legitimate application, such that many computer users unknowingly allow execution of the virus on the user's computing device. To combat this problem, there are many types of virus/malware prevention computer programs. A first type of program attempts to track each new virus/malware, compare an application to be executed against a list of known viruses and items of malware, and block any application that matches the listing of known viruses and malware. This method of virus prevention has many detractions, however. For example, literally multiple thousands of viruses are known on any given day, and every day more viruses are added to the “virus list.” The upkeep of the virus list requires daily, if not hourly, monitoring and updating. Additionally, the processing time to compare an application attempting to execute on the user's computing device to the “virus list” is time consuming, as the list is usually very extensive. Thus, the processing time employed by the computing device's CPU and the memory and hard drive utilization are relatively larger for lengthy lists of viruses. Additionally, these virus prevention methods require scanning and filtering through numerous known viruses, which increases processing time and hard drive utilization.

A second type of virus/malware prevention approaches the problem by maintaining a whitelist of legitimate (i.e., non-virus) applications. Similar to the above example, any new application attempting to be executed is compared to the applications on the whitelist. If there is a match, then the application is allowed to execute. Although the whitelist of legitimate applications is not as numerous as the “virus list” described above, the whitelist is usually still several thousand applications, and more applications are routinely added. Because the whitelist is a universal whitelist for all computer users, if a particular computer user accesses a little known application, then the application may not be on the whitelist, even if it is legitimate. The user must then request the application be specifically executed via a series of advanced steps, and such selection of the advanced steps must be undertaken each time the application is accessed.

Accordingly, there is a need for a computer program, a method, and a system that prevents execution of a virus or item of malware quickly, without using significant computer resources, that is easy for the average computer user to use, and that is unobtrusive and does not interfere with the user's use of the computing device.

SUMMARY

Embodiments of the present invention solve the above-mentioned problems and provide a computer program, a method, and a system for prevention of infection or execution of viruses and malware on a computing device. Embodiments of the present invention advantageously kill, block, and deny from running or being executed unwanted or malicious computer code by having no exception to what applications may be executed while the computer program is in an activated protected mode. In particular, while the protected mode is activated, no application may be executed unless it is listed on an inventory recordation personal to the user, wherein the inventory recordation lists information uniquely identifying a plurality of legitimate applications.

The user may activate a training mode during which the user may train the computer program as to which legitimate applications the user routinely accesses. The computer program then compiles the inventory recordation that is personal to the user, as the inventory recordation lists applications accessed by the user during the training mode. Thus, the inventory recordation of embodiments of the present invention is not a universal whitelist intending to list all legitimate applications for all users, but is instead a listing of applications that are, at least in part, selected by each particular user and based off of and a result of the user's use of the computing device and accessed applications. Because the inventory recordation is personal to the user, the list of legitimate applications on the inventory recordation is substantially shorter than prior art “whitelisting” methods. This results in embodiments of the present invention using less than one percent of a particular computing device's processing capabilities.

The computer program and method of embodiments of the present invention comprise the initial step of compiling the inventory recordation personal to the user by (1) receiving an instruction from the user to selectively activate the training mode, (2) receiving information identifying at least one application requested by the user to be executed by the computing device, and (3) updating the inventory recordation to include the information identifying the requested application, such that at least one application identified on the inventory recordation directly results from the user's instruction to execute the application during the training mode. After compiling the inventory recordation personal to the user, the computer program and method of embodiments of the present invention broadly comprise the steps of activating the protected mode, such that upon activation of the protected mode, the training mode is automatically deactivated; receiving, while the protected mode is activated, information indicative of an attempt by the user to execute an unconfirmed application, wherein the information indicative of an attempt by the user to execute an unconfirmed application includes information identifying the unconfirmed application; comparing the information identifying the unconfirmed application with information identifying the listing of applications on the inventory recordation that are approved for execution; identifying the unconfirmed application as an application approved for execution if the information identifying the unconfirmed application matches with information identifying an application on the inventory recordation; and identifying the unconfirmed application as an application not approved for execution if the information identifying the unconfirmed application does not match with information identifying an application on the inventory recordation.

This summary is provided to introduce a selection of concepts in a simplified form that are further described below in the detailed description. This summary is not intended to identify key features or essential features of the claimed subject matter, nor is it intended to be used to limit the scope of the claimed subject matter. Other aspects and advantages of the present invention will be apparent from the following detailed description of the embodiments and the accompanying drawing figures.

BRIEF DESCRIPTION OF THE DRAWING FIGURES

Embodiments of the present invention are described in detail below with reference to the attached drawing figures, wherein:

FIG. 1 is a schematic depiction of a system for prevention of execution of viruses and malware on a computing device constructed in accordance with various embodiments of the present invention;

FIG. 2 is a flow chart of a method of prevention of execution of viruses and malware on a computing device;

FIG. 3 is a first screen capture of the computer program of embodiments of the present invention and illustrating an inventory recordation and, in particular, exemplary administrator applications;

FIG. 4 is a second screen capture of the computer program of embodiments of the present invention and illustrating the computer program in a training mode;

FIG. 5 is a third screen capture of the computer program of embodiments of the present invention and illustrating the computer program in a protected mode (indicated as “ON”);

FIG. 6 is a fourth screen capture of the computer program of embodiments of the present invention and illustrating a menu of user-selectable operations for instructing the computer program;

FIG. 7 is a fifth screen capture of the computer program of embodiments of the present invention and illustrating a user option menu providing a plurality of user-selectable options for the operations of the computer program; and

FIG. 8 is a sixth screen capture of the computer program of embodiments of the present invention and illustrating a notification by the computer program of the blocking of an application attempted to be executed by the user.

The drawing figures do not limit the present invention to the specific embodiments disclosed and described herein. The drawings are not necessarily to scale, emphasis instead being placed upon clearly illustrating the principles of the invention.

DETAILED DESCRIPTION OF THE EMBODIMENTS

The following detailed description of the invention references the accompanying drawings that illustrate specific embodiments in which the invention can be practiced. The embodiments are intended to describe aspects of the invention in sufficient detail to enable those skilled in the art to practice the invention. Other embodiments can be utilized and changes can be made without departing from the scope of the present invention. The following detailed description is, therefore, not to be taken in a limiting sense. The scope of the present invention is defined only by the appended claims, along with the full scope of equivalents to which such claims are entitled.

In this description, references to “one embodiment,” “an embodiment,” or “embodiments” mean that the feature or features being referred to are included in at least one embodiment of the technology. Separate references to “one embodiment,” “an embodiment,” or “embodiments” in this description do not necessarily refer to the same embodiment and are also not mutually exclusive unless so stated and/or except as will be readily apparent to those skilled in the art from the description. For example, a feature, structure, act, etc. described in one embodiment may also be included in other embodiments, but is not necessarily included. Thus, the present technology can include a variety of combinations and/or integrations of the embodiments described herein.

The present invention provides various embodiments of a computer program, a method, and a virus and malware prevention system 10. The invention prevents execution of any application by an operating system of a computing device that is not identified on an inventory recordation listing legitimate applications. In embodiments of the present invention, at least a plurality of the applications identified on the inventory recordation is personal to either or both of the computing device or a logged user of the computing device, such as when the user gains access to the computing device via a username and password or other “logging in” or authentication feature. An “application” as used herein is defined as any process, program, or application that can be or is executed by the computing device.

As detailed below, the computer program of embodiments of the present invention comprises a plurality of codes segments executable by the computing device for performing the steps of the method of the present invention. The steps of the method may be performed in the order shown in FIG. 2, or they may be performed in a different order. Furthermore, some steps may be performed concurrently as opposed to sequentially. Also, some steps may be optional.

The user of the present invention can selectively activate a program mode for desired operational features. The present invention includes at least two programs modes, namely a training mode and a protected mode, wherein there are two variations of the protected mode. In further embodiments of the present invention, a third program mode, referred to as an off mode, may also be activated by the user.

Depending on the activated program mode and/or also whether an application is on the inventory recordation, the computer program of the present invention either instructs the operating system to cease execution of the application or otherwise does not prevent or interfere with execution of the application. Thus, it should be understood and appreciated that the computer program does not actually execute any particular application; instead, the operating system of the computing device executes the application. Reference to the computer program of the present invention executing an application or allowing execution of an application is intended to encompass the computer program not instructing the operating system to terminate execution of a particular application.

The computer program and method of embodiments of the present invention comprise the initial step of compiling the inventory recordation personal to the user by (1) receiving an instruction from the user to selectively activate the training mode (2) receiving information identifying at least one application requested by the user to be executed by the computing device, and (3) updating the inventory recordation to include the information identifying the requested application, such that at least one application identified on the inventory recordation directly results from the user's instruction to execute the application during the training mode. After compiling the inventory recordation personal to the user, the computer program and method of embodiments of the present invention broadly comprise the steps of activating the protected mode, such that upon activation of the protected mode, the training mode is automatically deactivated; receiving, while the protected mode is activated, information indicative of an attempt by the user to execute an unconfirmed application, wherein the information indicative of an attempt by the user to execute an unconfirmed application includes information identifying the unconfirmed application; comparing the information identifying the unconfirmed application with information identifying the listing of applications on the inventory recordation that are approved for execution; identifying the unconfirmed application as an application approved for execution if the information identifying the unconfirmed application matches with information identifying an application on the inventory recordation; and identifying the unconfirmed application as an application not approved for execution if the information identifying the unconfirmed application does not match with information identifying an application on the inventory recordation.

Hardware Description

The computer program and the method of embodiments of the present invention may be implemented in hardware, software, firmware, or combinations thereof using the virus and malware prevention system 10, shown in FIG. 1, which broadly comprises server devices 12, computing devices 14, and a communications network 16. The server devices 12 may include computing devices that provide access to one or more general computing resources, such as Internet services, electronic mail services, data transfer services, and the like. The server devices 12 may also provide access to databases storing each user's or computing device's inventory recordation.

The computing device may include any device, component, or equipment with a processing element and associated memory elements. The processing element may implement operating systems, and may be capable of executing the computer program, which is also generally known as instructions, commands, software code, executables, applications, apps, and the like. The processing element may include processors, microprocessors, microcontrollers, field programmable gate arrays, and the like, or combinations thereof. The memory elements may be capable of storing or retaining the computer program and may also store data, typically binary data, including text, databases, graphics, audio, video, combinations thereof, and the like. The memory elements may also be known as a “computer-readable storage medium” and may include random access memory (RAM), read only memory (ROM), flash drive memory, floppy disks, hard disk drives, optical storage media such as compact discs (CDs or CDROMs), digital video disc (DVD), Blu-Ray™, and the like, or combinations thereof. In addition to these memory elements, the server devices 12 may further include file stores comprising a plurality of hard disk drives, network attached storage, or a separate storage network.

The computing devices 14 may include work stations, desktop computers, laptop computers, palmtop computers, tablet computers, portable digital assistants (PDA), smart phones, and the like, or combinations thereof. Various embodiments of the computing device 14 may also include voice communication devices, such as cell phones or landline phones.

The communications network 16 may be wired or wireless and may include servers, routers, switches, wireless receivers and transmitters, and the like, as well as electrically conductive cables or optical cables. The communications network 16 may also include local, metro, or wide area networks, as well as the Internet, or other cloud networks. Furthermore, the communications network 16 may include cellular or mobile phone networks, as well as landline phone networks or public switched telephone networks.

Both the server devices 12 and the computing devices 14 may be connected to the communications network 16. Server devices 12 may be able to communicate with other server devices 12 or computing devices 14 through the communications network 16. Likewise, computing devices 14 may be able to communicate with other computing devices 14 or server devices 12 through the communications network 16. The connection to the communications network 16 may be wired or wireless. Thus, the server devices 12 and the computing devices 14 may include the appropriate components to establish a wired or a wireless connection.

The computer program of the present invention may run on the computing device or, alternatively, may run on one or more server devices 12. Thus, a first portion of the program, code, or instructions may execute on a first server device 12 or the computing device 14, while a second portion of the program, code, or instructions may execute on a second server device 12 or the computing device 14. In some embodiments, other portions of the program, code, or instructions may execute on other server devices 12 as well. For example, the database of inventory recordations may be stored on a memory element associated with the server device 12, such that the inventory recordation for each user is remotely accessible for each use of the computer program (e.g., stored in the “cloud”). Alternatively, each inventory recordation may be stored on the memory element associated with the respective computing device for the inventory recordation. In embodiments where the inventory recordations are stored remotely, the user may authenticate their identity at various computing devices while still accessing and relying on the same inventory recordation personal to the user.

Inventory Recordation

The present invention kills, blocks, denies execution of, or otherwise instructs the operating system to terminate execution of any application not listed on the inventory recordation. The inventory recordation is personal to the user, in that at least a plurality of the applications listed on the inventory recordation was added while the program was in the training mode and was added in response to the user's attempt to execute the application in the training mode. Thus, the inventory recordation is not a universal whitelist that is used for comparison/matching of applications for all computing devices and/or all users. Instead, the inventory recordation is specific to the particular computing device. Alternatively, as in an enterprise situation, the user may log on or otherwise authenticate their identity, and then the inventory recordation may be specific to the authenticated user, as opposed to the computing device. Reference to the inventory recordation being personal to the user encompasses both of the scenarios discussed above.

Referring to FIG. 3, the inventory recordation is an inventory or listing of applications, including information uniquely identifying each application. Although varying information may be used to identify the application, in embodiments of the present invention, the pathname for the particular application is used, at the least, to uniquely identify the application. A name for the application may also be used. As an example, Internet Explorer™ is a commonly-used Internet browser with the pathname C:\Program Files\Internet Explorer\iexplore.exe (unless the file explorer.exe is otherwise moved to a different folder by the user of the computing device). The information on the inventory recordation identifying the Internet Explorer™ application is, at the least, the pathname, and this is the information that is used to compare a yet-to-be-approved application that the user is attempting to execute while in the protected mode. The pathname is unique for the particular application, in that two different applications cannot have the same pathname.

As is known in the art, the vast majority (approximately greater than 95%) of viruses or malware download to a computing device through a temporary internet file (“TIF”). The folder a particular TIF is assigned to by the operating system is random, such that the pathname assigned to the TIF is random. Therefore, it is statistically highly unlikely that a malfeasant attempting to execute a virus or item of malware on a computing device would be able to guess the pathname assigned by the operating system to the TIF containing the virus/malware. This is especially accurate given that the pathname includes the user profile name (or, as sometimes the case, the computing device's name) in the pathname. Thus, the malfeasant would also need to target a particular user to even have the user profile name correct in the pathname. As most viruses and malware are deployed en masse in large numbers by the malfeasant, and are not otherwise targeted to particular users, the likelihood that the malfeasant would know the user profile name and be able to include in the pathname for the TIF containing the virus/malware is extremely low.

Even for viruses that do not enter through a TIF, embodiments of the present invention perform substantially the same by listing unique identifying information, such as the pathname, for the application on the inventory recordation. For example, if a virus that did not download as a TIF but was otherwise named with an authentic application's pathname, such as Internet Explorer™, then execution of Internet Explorer™ using the pathname C:\Program Files\Internet Explorer\iexplore.exe would not execute the authentic application. Therefore, the virus/malware would be very evident to the user. More importantly, it is generally difficult to spoof an authentic pathname for an application, which is why the vast majority of viruses are downloaded to the computing device via the TIF.

It should be appreciated that plug-ins and add-ons often used during web browsing, such as, for example, Java™, Flash™, ActiveX™, etc., are not applications executed by the operating system of the computing device but are instead embedded in the Internet browser application. Therefore, while the user is accessing an Internet browser, any plug-ins or add-ons that attempt to be executed will not be blocked by the computer program of the present invention. However, in the event the plug-in or add-on contains a virus or item of malware, upon the virus/malware attempting to execute as an independent application, the computer program will block said virus or malware if the protected mode is activated. Therefore, use of the present invention does not negatively affect the user's web browsing experience.

In embodiments of the present invention, at least one and preferably a plurality of the applications listed on the inventory recordation are listed by an administrator of the computer program and not as a result of the user attempting to execute the application during the training mode. In particular, there are many applications that the user executes without realizing that the application is even executing. For example, mmc.exe assists with managing plug-ins. Execution of the application by the user is likely unknown to most users. Other exemplary applications that may be listed as an administrator application include, without limitation, printing and audio drivers, volume control, remote desktop client, the user control panel, the task manager, backup applications, and other like applications. To address these less obvious applications executed by the operating system on a regular basis, embodiments of the present invention compile a list of unique identifying information for the administrator applications. In embodiments of the present invention, the listing of administrator applications is less than two hundred, less than one hundred fifty, or less than one hundred applications. Thus, the list of administrator applications is not a universal list of all potential authentic applications that could be executed by any user but rather the discrete list of applications required for efficient operation of the operating system. Notably, and as discussed in below, the computer program updates the inventory recordation to include the listing of applications accessed by the user during the training mode.

As noted above, the inventory recordation may be stored locally or remotely, but in embodiments, the inventory recordation is stored remotely so as to allow access by the user via multiple computing devices and to prevent hacking or other malicious access of the inventory recordation. In particular, when the computer program of the present invention is executed during a particular use time, the inventory recordation is stored locally on the computing device. When the user exits or closes the computer program of the present invention, or the program is otherwise exited due to computing device inactivity by the user, the inventory recordation is uploaded to a remote site. When the computer program is again re-executed or the computing device is booted, the inventory recordation that is stored remotely is downloaded to the computing device. In alternative embodiments, the inventory recordation can be uploaded to the remote storage site more or less frequently, and the frequency of uploading can be user-selected.

In embodiments of the present invention, the inventory recordation is also password protected or requires some form of authentication to access it. This prevents a hacker from easily accessing the inventory recordation and modifying it to include pathnames corresponding to viruses or malware.

As illustrated in FIG. 7 at 116, the user may select to automatically allow all applications in the “Programs Files” folders to be added to the inventory recordation. Additionally, as illustrated at 118 in FIG. 7, the user may select to automatically allow all applications in the Windows Systems folders to be added to the inventory recordation.

Training Mode

While in the training mode, the computer program of the present invention executes any application instructed by the user and regardless of whether the inventory recordation comprises information uniquely identifying the application. The computer program does not match or compare the identifying information for the application to be executed against the identifying information for the applications listed on the inventory recordation for the respective user. Thus, while in the training mode, the computing device is susceptible to downloading and executing a virus or item of malware.

The user must train the computer program on what applications the user desires to permanently be executable by the operating system. If the user has not trained the computer program to include a particular application, and the application is not otherwise one of the discrete administrator applications, then while in the protected mode, attempted execution of the application will be terminated.

The training of the computer program is the initial step of compiling the inventory recordation personal to the user, as illustrated in Step 200 of FIG. 2. As illustrated in FIG. 4, the user first selectively activates the training mode, Step 202, using a computer user interface 100 of the present invention detailed below and hereinafter referred to as a “smart icon.” Activation of the training mode requires affirmative user selection, which is in contrast to activation of the protected mode as detailed below.

Upon the training mode being activated, the user accesses each of the applications the user normally uses, such as Microsoft Word™, Adobe™, etc., as shown in Step 204. Because the training mode is activated, each accessed application will be executed by the operating system. Additionally, the inventory recordation personal to the user is updated to include information uniquely identifying the accessed application, such as the pathname for the application, as shown in Step 206. Once the inventory recordation is updated to include the accessed application, the computing device will execute the application at any time and regardless of the activated program mode. Notably, the computing device will execute the application while in the protected mode because the pathname for the application will be on the inventory recordation and there will be a successful match, as discussed in detail below.

Should the pathname for the application change in the future due to an update or being moved on the computing device's operating system, then this will prevent execution of the application while in the protected mode. This is because the new pathname attempting to be executed while in protected mode is not on the inventory recordation. To remedy this, the user will activate the training mode using the smart icon and then select the application for execution. Upon execution of the application in the training mode, the inventory recordation will be updated to include the new pathname for the application.

Protected Mode

After the user has trained the computer program of the present invention on the common applications accessed by the user so that the inventory recordation personal to the user is compiled, the protected mode is activated or “ON”, as shown in Step 208 and illustrated in FIG. 5. Embodiments of the present invention contemplate two variations of the protected mode, namely a “Smart” mode and an “Always On” mode, as illustrated in FIG. 6. Although both variations of the protected mode are discussed below in detail, for ease of reference, the following is a brief discussion.

In the “Smart” protected mode, the computer program toggles between monitoring and not monitoring what applications the user requests to be executed depending on whether the user executes an application that presents a risk for further execution of a virus or item of malware, such as an Internet browser or e-mail client application. If the at-risk application is executed, then the application monitoring and blocking features are activated. In contrast, if the user is not running an application that presents a risk for execution of a virus (for example, the user is running Microsoft Word™), then the application monitoring and blocking features are not activated.

The “Always On” mode does not toggle between monitoring and not monitoring the applications executed by the user. Instead, the application monitoring and blocking features are always activated when in the “Always On” mode, regardless of whether the user activates an application that presents a risk for infection of a virus or item of malware.

In embodiments of the present invention, the “Smart” mode is the default protected mode that is activated after the training mode discussed above is completed. The user may manually select the “Always On” mode should the user desire to maintain the application monitoring and blocking features at all times (except, of course, when the training mode is otherwise activated). It is contemplated that the “Always On” mode is best used once the computer program of the present invention is well trained, that is once the user has compiled the inventory recordation personal to the user over an extended period of time, such that new applications to add to the inventory recordation are rare. In alternative embodiments of the present invention, the user may select which of the two variations of the protected mode the user desires to automatically activate upon deactivation of the training mode.

The protected mode may be activated one of several different methods. It should be understood that because the protected mode is either of the two variations discussed above, namely the “Smart” mode and the “Always On” mode, activation of the protected mode activates one of these two variations, depending on either the default or user-selected preferences. In a first method, the protected mode is automatically activated by the computer program of the present invention after an elapsed period of time 102, as shown in the user-selected settings box 104 of FIG. 7. In particular, while in the training mode, the program monitors the period of time the training mode is activated or some other period of time, such as the time from the when the user last accessed and executed an application. After a pre-set period of time has elapsed, the computer program automatically deactivates the training mode and activates the protected mode without requiring the user to affirmatively activate the protected mode. The advantage of the automatic activation of the protected mode is that the user does not need to remember to activate the protected mode. In embodiments of the present invention, a default pre-set period of time 102 may be used or the user may have the option of selecting another pre-set period of time. Exemplary pre-set periods of time are thirty seconds, forty-five seconds, one minute, three minutes, five minutes, or ten minutes.

In a second method of activation of the protected mode, after the pre-set period of time has elapsed, the computer program presents an interface to the user requesting if the user is finished with training the computer program. An exemplary user interface is a balloon or other pop-up requesting the user to confirm that the user is finished training the program. If the user selects in the affirmative or “yes, I am finished training the computer program,” then the computer program automatically activates the program mode. If the user selects in the negative or “no, I am not finished training the computer program,” then the computer program begins anew monitoring an elapsed period of time.

In a third method of activation of the protected mode, the user can manually activate the protected mode via the smart icon 100. In a fourth method, the protected mode is automatically activated after a new application is detected, as illustrated at 120 in FIG. 7. In this fourth method, when the user trains the computer program to add a new application to the inventory recordation, the protected mode is automatically activated after the new application is added. Other methods of activation of the protected mode could also be employed by the computer program.

As can be appreciated, most of the use time of the computing device will be while the protected mode is activated. In this mode, the user's ability to execute a virus or item of malware is significantly diminished, if not completely removed. When the “Always On” variation of the protected mode is activated, any application that the user attempts to execute is monitored and compared to the inventory recordation personal to the user. When the “Smart” variation of the protected mode is activated, any application that the user attempts to execute, while an at-risk application is running, is monitored and compared to the inventory recordation personal to the user. For both variations of the protected mode, if the application's unique identifying information is not listed on the inventory recordation, then the computer program of the present invention instructs the operating system to terminate execution of the application, as illustrated in FIG. 8.

In more detail and as illustrated at Step 210, the computer program receives the user's instruction to activate a yet-to-be-approved application, hereinafter referred to as an “unconfirmed application.” The computer program also receives information uniquely identifying the unconfirmed application, such as the application's pathname. The computer program compares the information uniquely identifying the unconfirmed application with the information uniquely identifying the plurality of applications listed on the inventor recordation personal to the user, as shown in Step 212. If the information for the unconfirmed application matches information for an application listed on the inventory recordation, then the application attempting to be executed is approved for execution, as shown in Step 214. In such a case, the computer program allows the application to execute or otherwise does not interfere with or prevent the operating system's execution of the application, such as by instructing the operating system to terminate execution of the application. However, if the information identifying the application attempting to be executed does not match with information for an application listed on the inventor recordation, then execution of the application is prevented, as shown in Step 216 and illustrated in FIG. 8. In particular, the computer program of the present invention instructs the operating system to terminate execution of the application or otherwise prevent execution of the application by the computing device. In embodiments of the present invention, if the computer program instructs termination of the application, the computer program will present a message, such as in the form of a pop-up or balloon notification 106 in FIG. 8, that informs the user that the application's execution was terminated. Alternatively or in addition, the smart icon may simply flash or briefly change colors to notify the user of the blocked application. If the user was attempting to execute what the user knew to be a legitimate application, this then informs the user that the inventory recordation needs to be updated. The user then activates the training mode via the smart icon and executes the application in the training mode to effectuate updating of the inventory recordation.

Embodiments of the present invention have the advantage of not requiring the user to respond to a prompt or request instructing whether an application should be executed or not. For example, prior art virus/malware prevention programs frequently operate by identifying a potentially suspicious application and then presenting to the user a prompt requesting the user to confirm or not confirm that the application should be executed. This methodology for preventing virus/malware execution fails for at least two reasons. First, many legitimate applications are identified by the computer program as being suspicious, which results in a large percentage of false positives. This large percentage of false positives then reduces user awareness of what could or could not be a virus or item of malware. Moreover, this requires the user to know, or at the least investigate, whether the application attempting to be executed and for which the user received the prompt is a legitimate application. Many computer users will not have the sophistication or knowledge to accurately confirm the legitimacy of the application.

Second, because many virus/malware prevention programs operate by presenting a prompt or request to the user to approve execution of the application, malfeasants know this and have mimicked the prompt or request interface of legitimate virus and malware prevention programs. Although there are many versions of mimicking a legitimate program, a common prompt is to ask the user if it would like a particular application (one that is often well known, such as JAVA™) to be updated. If the user confirms the update (or sometimes even if the user only selects any input on the prompt), the application containing the virus is executed. Embodiments of the present invention, upon receiving the user's selection to update the mimicked legitimate application, compare the pathname of the application to the inventory recordation to determine if the application is authentic and is approved for execution by the operating system.

As noted above, once an application is executed by the user in the training mode, such that the application is listed on the inventory recordation, there may be a circumstance where the application is updated by an administrator or source of the application. Most application updates do not result in the application being assigned a different pathname. However, it is foreseeable that some updated applications will be assigned a new pathname, such as if a major update is made or if a new version of the application is issued. In these instances, the pathname or other unique identifying information associated with the updated application will be changed from the prior version of the application, and as such, the unique identifying information for the application will not be listed on the user's inventory recordation. This will be evident to the user, as execution of the application while in the protected mode will be terminated.

Because the application is now identified with different unique information, the computer program of the present invention terminates execution of the application because it does not match identifying information on the inventory recordation. As described above, the user is notified that execution of the application was terminated. Because the notification is provided close in time and immediately in response to the user's attempt to execute the application, the user knows that the application information needs to be updated on the inventory recordation. The user will then activate the training mode and execute the application in the training mode, as described above.

“Smart” and “Always on” Variations of the Protected Mode

As noted above, the initially default to the “Smart” protected mode as the preferred variation of the protected mode of embodiments of the present invention. In the Smart mode, the computer program monitors what applications the user requests to be executed. If the user executes an application that presents a risk for further execution of a virus or item of malware, such as an Internet browser application, then the application blocking features described above for the protected mode are activated. For example, the computer program would allow execution of the Internet browser application because it is listed on the inventory recordation. Because the browser is open on the computing device, the risk for executing a virus is significantly increased. Therefore, the Smart protected mode compares each new application to be executed against the inventory recordation, but this application monitoring and blocking feature is only activated when an at-risk application is running. In contrast, if the user is working on the computing device and executes an application that is not a risk for downloading and executing a virus or item of malware, such as Microsoft Word™, then the application execution features described above for the training mode are activated, wherein each new application to be executed is not compared to the inventory recordation.

Thus, the Smart program mode toggles between a first sub-mode wherein the computer program is comparing the applications requested for execution to the inventory recordation, and a second sub-mode, wherein the computer program is not comparing the accessed applications to the inventory recordation. Upon the user attempting to execute applications known to be a source for downloading and executing viruses, the Smart protected mode toggles to the first sub-mode, wherein all applications attempted to be executed are compared to the inventory recordation for the user. Exemplary applications known to be a source of viruses are Internet browsers and e-mail clients. It is to be appreciated that the Internet browser itself is not a source of viruses, but because the Internet browser is used to access data and potentially other applications, the execution of the Internet browser is a signal to the computer program to toggle the Smart protected mode to the first sub-mode of comparing all applications to be executed to the inventory recordation and terminating execution if not listed thereon.

In the second sub-mode where all applications are executed regardless if listed on the inventory recordation, the computer program may either update the inventory recordation to include the accessed application, similar to the training mode described above, or may simply allow execution of the application without updating the inventory recordation. In further alternatives, the user may select which of these two options the user desires the computer program to perform.

In alternative embodiments, activation of the first sub-mode of the Smart protected mode further comprises comparing each application that is executed and updating the inventory recordation with any newly-executed applications to the extent that an application is not a risk for a virus. However, upon executing an application that places the computer at risk for a virus, the Smart protected mode toggles to the second sub-mode of comparing each application to be executed to the inventory recordation. The default of the computer program of the present invention is that the Smart mode toggles to the second sub-mode upon execution of any Internet browser or any e-mail client. The computer program may also allow the user the option to deselect either of these at-risk applications or add additional at-risk applications.

Although not required, it is expected that the Smart protected mode will be used for a discrete period of time after the user initially installs the computer program of the present invention. For example, the Smart protected mode may be used for two weeks, after which the computer program automatically activates the “Always On” protected mode. The computer program may include a default time period after installation of the computer program, or the computer program may offer the user an option to select a period of time different than the default time period. A default period of time of several days to several weeks is long enough that most applications the user will ever execute on the computing device will be accessed during the period of time due to normal use of the computing device by the user. During this time period, the user is essentially training the computer program by executing applications that are then added to the user's inventory recordation. After the default or user-selected time period has expired and the computer program activates the “Always On” protected mode, should the user attempt to execute an application that is not on the inventory recordation, the user can simply activate the training mode and execute the application in the training mode to update the inventory recordation.

As also discussed above, when the “Always On” variation of the protected mode is activated, the computer program is continually monitoring each application requested by the user to be executed. Should the application not be listed on the inventory recordation, execution of the application is blocked, as illustrated in FIG. 8. The application monitoring and blocking features are implemented regardless of other applications executed on the computing device, such as an Internet browser or other at-risk application.

Upon initial installation of the computer program, the training mode is automatically activated or, alternatively, the user is instructed to activate the training mode. The user is then instructed to execute all the applications that the user accesses on a regular basis. Execution of each of the applications compiles the inventory recordation personal to the user. After the user has completed executing their regularly-used applications, the user is instructed to activate the preferred variation of the protected mode, which for new users is preferably the Smart protected mode. Once the Smart protected mode is activated, the user uses the computing device as they normally would for an extended period of time, such as several days to several weeks. During activation of the Smart protected mode, the blocking of all applications will only be initiated upon the user executing an at-risk application, such as an Internet browser. Upon executing the at-risk application, the Smart protected mode toggles to the second sub-mode of instructing termination of execution of all applications not listed on the inventory recordation. If an at-risk application is not executed by the user while in the Smart protected mode, the computer program continues the compiling of the inventory recordation by continually monitoring and comparing each accessed application to the current inventory recordation and updating the inventory recordation with any newly-executed applications.

After the extended training time afforded via the Smart protected mode is over, the user may optionally activate the Always On protected mode (or, alternatively, the computer program automatically activates the Always On protected mode after the expiration of a pre-set period of time, as described above). Once in the Always On protected mode, all applications not listed on the inventory recordation are blocked (i.e., execution is instructed to be terminated), regardless of whether the user has executed an at-risk application, such as an Internet browser.

Off Mode

In yet further embodiments of the present invention, the user may activate a third program mode, wherein the application execution blocking features described above for the protected mode are permanently off, and the program mode does not change until selective activation by the user. This “off” program mode essentially permanently turns off any virus/malware prevention feature. Because the off program mode places the computing device at risk for executing a virus or item of malware, embodiments of the present invention may require the user to enter a password or perform some advanced steps to activate this program mode. This would then prevent accidental activation of the off program mode or activation by a lesser-skilled user.

Additional Features

Embodiments of the present invention provide several user-selectable options to customize the computer program to the user. In a first option, the user may select when the computer program is activated, and specifically, when the protected mode is activated, as illustrated at 110 in FIG. 7. A default preference is that the protected mode is activated anytime the computing device is powered on or restarted or the operating system is booted.

As is known in the art, many updates to the operating system and to applications are automatically pushed to the computing device. Similarly, backups of the computing device are often routinely and automatically performed. To address these automatic updates and backups, the computer program offers the option of deactivating the protected mode upon the computing device being idle for a pre-set period of time, as illustrated at 112 in FIG. 7. The user has the option of selecting the pre-set period of time, but exemplary idle times are five minutes, ten minutes, thirty minutes, or greater than or equal to one hour. Alternatively, the pre-set idle time can be instructed to be the same as the pre-set time before which the screen saver of the computing device activates.

If the computing device is idle and the protected mode is deactivated, then the training mode is automatically activated. Any updates that are pushed to the computing device are automatically compared to the current inventory recordation and added if the update has a new pathname for the application. Thus, the computer program of the present invention does not interfere with routine operation and maintenance of the computing device. Upon the user accessing the computing device, i.e., terminating the device being idle, the protected mode is automatically activated.

Similar to the password feature while in the off program mode, another feature of embodiments of the present invention is a user-selectable required password or authentication procedure to activate the training mode. In particular, the computer program may present a user-selectable option for requiring that a password be submitted upon receipt of the user's request to activate the training mode (or otherwise deactivate the protected mode). The training mode would then not be activated by the computer program until entry of the correct password or submission of the required authentication. This prevents a child or unskilled user from activating a mode that would place the computing device at risk of executing a virus or item of malware. This feature may also be desirable in an enterprise environment, wherein the administrator selects this option and an administrator password is required to deactivate the protected mode.

The user may also select whether to receive balloon notifications of the blocking of an application, which is illustrated at 108 in FIG. 8. In the user preferences box 104 of FIG. 7, the user may enable balloon notifications, as illustrated at 114 in FIG. 7. Regardless of whether balloon notifications are enabled, the smart icon 100 flashes when an application is blocked so as to visually notify the user of the blocked application.

Embodiments of the present invention also allow the user to view the inventory recordation personal to the user, including the information uniquely identifying each of the applications. This feature may be beneficial to skilled users. The computer program may also require a password to modify the inventory recordation or may altogether prevent manual modification of the inventory recordation (i.e., not otherwise compiling the inventory recordation as described above).

Smart Icon

The computer program of embodiments of the present invention uses the smart icon 100 as a user interface. Use of the smart icon provides for an unobtrusive user experience. Although the smart icon 100 is specifically described herein with respect to the above-described virus/malware prevention system, the smart icon could be used for a variety of computer programs implementing various functions.

As illustrated in FIG. 5, the smart icon 100 is relatively small compared to the overall display size of the computing device, and as such, the smart icon 100 is approximately 50×50 pixel, although it can be enlarged or made smaller based upon user preference. In embodiments of the present invention, the smart icon offers unlimited left and/or right-click user options. The smart icon 100 is not simply a shortcut to the application, and right-clicking of the icon does not simply present standard “shortcut” options, such as “open,” “cut,” “copy,” etc. Instead, the smart icon 100 is the application itself and left and/or right clicking the smart icon 100 presents a menu 122 of user-selectable application operations.

In Microsoft Windows™, the smart icon 100 is a Microsoft Windows Form with the ControlBox set to “False” and FormBorderStyle set to “None.” The smart icon 100 exhibits a transparent background with an overlay of a standard software icon. The smart icon thus visually appears as a standard desktop icon, while giving it the ability to offer the unlimited left and/or right-click user options. This includes, but is not limited to, the activation and deactivation of the particular program mode, as illustrated at 122 in FIG. 6. The relatively small size of the smart icon allows the user to easily activate and deactivate the training mode or any other program mode while remaining unobtrusive to the user experience. Upon left click of the smart icon 100, the appearance of the smart icon toggles between an image that represents the protected mode being “active” (FIG. 5), and an image that represents the protected mode being “inactive” (i.e., the training mode is activated) (FIG. 4). For each successive left mouse click, the protected mode is activated or deactivated, respectively.

In one embodiment, the smart icon 100 is located in one of the four computer monitor corners, as selected by the user, and is always on top of all other program windows (FIG. 5). In other embodiments, the smart icon can be moved or dragged anywhere on the computer desktop by the user to ensure the unobtrusive user experience. Other embodiments include, but are not limited to, placing the smart icon in the Task Bar or Tray Menu area of the desktop screen. When the user performs a right click on the smart icon, the menu 122 appears that allows the user to manipulate the various user-controlled elective options, as described above and as illustrated in FIG. 6.

Whenever a new application that is not listed on the inventory recordation is initiated and detected by the computer program, the smart icon 100 temporarily flashes to alert the user that a new application is attempting to run, start, or execute. As described above, the computer program instructs the operating system to simultaneously terminate execution of the application when in the protected mode. In addition to or as an alternative to the smart icon flashing, the computer program may present the balloon 108 to the user noting that an application's execution has been terminated, as illustrated in FIG. 8. As mentioned above, this will inform the user to activate the training mode if the blocked application was a legitimate application the user was attempting to access but that was not otherwise listed on the inventory recordation.

Although the invention has been described with reference to the embodiments illustrated in the attached drawing figures, it is noted that equivalents may be employed and substitutions made herein without departing from the scope of the invention as recited in the claims. Embodiments of the present invention may, prior to allowing execution of an application, perform a comparison of the application to a list of known viruses/malware. This would be a secondary defense to insuring that the computing device does not execute a virus. However, this will also use up additional processing power of the computing device, as the list of known viruses on a day-to-day basis is very large (e.g., multiple tens of thousands), and comparison of the yet-to-be-approved application to the list of known viruses will require more time than comparison of the application to the inventory recordation.

Having thus described various embodiments of the invention, what is claimed as new and desired to be protected by Letters Patent includes the following: 

1. A non-transitory computer-readable storage medium with an executable program stored thereon for preventing execution of a virus or malware on a computing device, wherein the program instructs a processor to perform the steps of: compile an inventory recordation personal to a user, wherein the inventory recordation comprises information uniquely identifying a listing of applications approved for execution by the processor during use of the program by the user in a protected mode, wherein said step of compiling an inventory recordation further comprises instructing the processor to perform the steps of— receive an instruction from the user to selectively activate a training mode, wherein upon activation of the training mode, the program will execute any application instructed by the user and regardless of whether the inventory recordation comprises information uniquely identifying the requested application, receive information identifying at least one application requested by the user to be executed by the computing device, and update the inventory recordation to include the information identifying the at least one requested application; activate the protected mode, such that upon activation of the protected mode, the training mode is automatically deactivated; receive, while the protected mode is activated, information indicative of an instruction by the user to execute an unconfirmed application, wherein the information indicative of an instruction by the user to execute an unconfirmed application includes information identifying the unconfirmed application; compare the information identifying the unconfirmed application with information identifying the listing of applications on the inventory recordation that are approved for execution; identify the unconfirmed application as an application approved for execution if the information identifying the unconfirmed application matches with information identifying an application on the inventory recordation; and identify the unconfirmed application as an application not approved for execution if the information identifying the unconfirmed application does not match with information identifying an application on the inventory recordation.
 2. The computer-readable storage medium of claim 1, wherein the program instructs the processor to perform the step of instructing an operating system of the computing device executing the program to terminate execution of the application upon the unconfirmed application being identified as an application not approved for execution.
 3. The computer-readable storage medium of claim 2, wherein the user is not required to respond to a prompt or to affirmatively instruct the operating system executing the program to prevent execution of the unconfirmed application.
 4. The computer-readable storage medium of claim 1, wherein the program instructs the processor to perform the step of automatically preventing execution of the application by the processor upon the unconfirmed application being identified as an application not approved for execution.
 5. The computer-readable storage medium of claim 1, wherein during said training mode, the program allows execution of any application for which it receives instructions by the user to execute, regardless of whether the application is identified on the inventory recordation.
 6. The computer-readable storage medium of claim 5, wherein during said protected mode, the program allows execution of only the applications listed on the inventory recordation.
 7. The computer-readable storage medium of claim 5, wherein during said protected mode, the program monitors whether an Internet browser or e-mail client application is executed, and if such Internet browser or e-mail client application is executed, the computer program allows execution of only the applications listed on the inventory recordation, and if such Internet browser or e-mail client application is not executed, the computer program allows execution of any application, regardless of whether the application is identified on the inventory recordation.
 8. The computer-readable storage medium of claim 7, wherein the inventory recordation is only updated to include the application while the training mode is activated or while an Internet browser or e-mail client application is not running when the protected mode is activated.
 9. The computer-readable storage medium of claim 1, wherein prior to compiling the inventory recordation personal to the user, the program instructs the processor to perform the step of determining an activated program mode, wherein the training mode and the protected mode are both program modes.
 10. The computer-readable storage medium of claim 1, wherein the program instructs the processor to perform the steps of monitoring an elapsed period of time that the training mode is activated or that the computing device is idle, and upon the elapsed period of time being equal to or greater than a pre-set training time, presenting to the user a prompt to activate the protected mode.
 11. The computer-readable storage medium of claim 1, wherein the training mode is a first program mode, the protected mode is a second program mode, and further including a third program mode comprising an off mode, wherein when said off mode is activated, the program allows execution of any application, regardless of whether it is identified on the inventory recordation, and the elapsed period of time is not monitored.
 12. The computer-readable storage medium of claim 1, wherein the inventory recordation further includes an administrator listing that identifies application for which the user did not attempt to execute during activation of the training mode.
 13. The computer-readable storage medium of claim 1, wherein the computer program is represented on a display of the computing device via an icon, and selection of the icon by left or right-clicking a user interface presents a menu of user-selectable options for instructing the computer program.
 14. A method for preventing execution of a virus or an item of malware on a computing device, wherein the method comprising the steps of: receiving an instruction from the user to selectively activate a training mode of a computer program; receiving information identifying at least one computer application requested by the user to be executed by the computing device; updating an inventory recordation to include the information identifying the at least one requested application, wherein the inventory recordation comprises information uniquely identifying a listing of applications approved for execution by the computing device during use of the program by the user in a protected mode, wherein upon activation of the training mode, executing any application requested by the user and regardless of whether the inventory recordation comprises information uniquely identifying the requested application; activating the protected mode of the computer program, such that upon activation of the protected mode, the training mode is automatically deactivated; receiving, while the protected mode is activated, information indicative of an instruction by the user to execute an unconfirmed application, wherein the information indicative of an instruction by the user to execute an unconfirmed application includes information identifying the unconfirmed application; comparing the information identifying the unconfirmed application with information identifying the listing of applications on the inventory recordation that are approved for execution; identifying the unconfirmed application as an application approved for execution if the information identifying the unconfirmed application matches with information identifying an application on the inventory recordation; and identifying the unconfirmed application as an application not approved for execution if the information identifying the unconfirmed application does not match with information identifying an application on the inventory recordation.
 15. The method of claim 14, further including the step of instructing an operating system of the computing device executing the program to terminate execution of the application upon the unconfirmed application being identified as an application not approved for execution.
 16. The method of claim 15, wherein the user is not required to respond to a prompt or to affirmatively instruct the operating system executing the program to prevent execution of the unconfirmed application.
 17. The method of claim 14, further including the step of automatically preventing execution of the application by the processor upon the unconfirmed application being identified as an application not approved for execution.
 18. The method of claim 14, wherein the inventory recordation is only updated to include the application while the training mode is activated.
 19. The method of claim 14, wherein prior to compiling the inventory recordation personal to the user, determining an activated program mode, wherein the training mode and the protected mode are both program modes.
 20. The method of claim 14, further including the steps of monitoring an elapsed period of time that the training mode is activated or that the computing device is idle, and upon the elapsed period of time being equal to or greater than a pre-set training time, presenting to the user a prompt to activate the protected mode. 